11/6/2009

1

IPv6 Introductionon MikroTik

MikroTik User Meeting,Jakarta, November 6th 2009

Christian DwinantyoD-NET

Introduction

• Speaker

– Christian Dwinantyo

• NOC Manager @ D-NET

• christian@dnet.net.id

• Company

– D-NET

• A Medium size ISP focus on corporate customers

• Use MikroTik as CPE router and gateways.

11/6/2009

2

Acknowledgement

• The material used in this course was created by using :

• Information and slides provided by APNIC

• MikroTik Wiki about IPv6 in RouterOS.

• http://wiki.mikrotik.com

• We acknowledges with thanks and appreciation the contribution and support of APNIC and MikroTik Wiki.

Overview

• What is IPv6?• Enhancement from IPv4

• IPv6 addressing• Autoconfiguration

• Why do we need IPv6?• Transition

• Dual stack, tunneling, translation

• RouterOS support on IPv6• Routing protocols• Firewall• wireless

11/6/2009

3

What is IPv6

• RFC2460 :

– IP version 6 (IPv6) is a new version of the Internet Protocol, designed as the successor to IP version 4 (IPv4) [RFC-791]. The changes from IPv4 to IPv6 fall primarily into the following categories:

• Expanded Addressing Capabilities

• Header Format Simplification

• Improved Support for Extensions and Options

• Flow Labeling Capability

Improvement from IPv4

• 128 bits, compared to 32 bits IPv4

• Longer but simpler header

• Neighbor Discovery to replace ARP

• New address types: unicast, multicast and anycast.

• No longer use broadcast

• Autoconfiguration

11/6/2009

4

Address Space

• IPv4 address space (32 bits):

• 232 = 4,294,967,296 addresses

• IPv6 address space (128 bits):

• 2128=

340,282,366,920,938,463,463,374,607,431,768,211,456

addresses

IPv4 and IPv6 header comparison

Version IHL Type of Service Total Length

4 bits 4 bits 8 bits 16 bits

Identification Flags Fragment Offset

16 bits 4 bits 12 bits

TTL Protocol Header Header Checksum

8 bits 8 bits 16 bits

Source Address

32 bits

Destination Address

32 bits

IP options

0 or more IPv4 Header bits

Version Traffic Class Flow Label

4 bits 8 bits 20 bits

Payload Length Next Header Hop Limits

16 bits 8 bits 8 bits

Source Address

128 bits

Destination Address

128 bitsLegend :

= Eliminated in IPV6

=Enhanced in IPv6

=Enhanced in IPv6

=Enhanced in IPv6

11/6/2009

5

Neighbor Discovery Protocol

• Replace ARP function in IPv4.

• Responsible for discovery of other nodes on the link.

• Determining the link layer addresses of other nodes.

• Finding available routers.

• Maintaining reachability information about the paths to other active neighbor nodes.

• Used in address autoconfiguration.

IPv6 Addressing

• Hexadecimal values of eight 16 bit fields separated by colon.

• Example:

– 2001:0DB8:124C:C1A2:BA03:6735:EF1C:683D

• Abbreviated form of address

– 2001:0DB8:0023:0000:0000:036E:1250:2B00

– 2001:DB8:23:0:0:36E:1250:2B00

– 2001:DB8:23::36E:1250:2B00

– (Null value can be used only once)

11/6/2009

6

IPv6 Address Types

• Unicast

– An identifier for a single interface

• Anycast

– An identifier for a set of interfaces

• Multicast

– An identifier for a group of interfaces

IPv6 Addressing – Unicast Address

• Link-Local Address (fe80::/10)

– Used to communicate between other ipv6 interfaces in the same network link.

– Only valid on a single link.

– Auto assigned

– Not routeable to Internet.

• Global Address

– Routeable to Internet

11/6/2009

7

Special IPv6 addresses

• Unspecified address – 0:0:0:0:0:0:0:0/128 (::/128)– Similar to 0.0.0.0 in IPv4

• Loopback address– 0:0:0:0:0:0:0:1/128 (::1/128)– Similar to 127.0.0.1 in IPv4

• Link-Local addresses– fe80::/10

• Unique Local addresses (ULA)– fc00::/7

• Documentation addresses– 2001:db8::/32

IPv6 Addressing – Global Unicast Address

• Global Routing Prefix

– Assigned to a site , eg. 2404:1b8

– Designed to be structuted hierarchically by the RIRs and ISPs

• Subnet ID

– Identifier of a subnet within a site

• Interface ID

– Unique identifier for a particular interface of a device.

11/6/2009

8

IPv6 Addressing – Global Unicast Address

• Example: an ISP received 2001:db8/32

• Ipv6 address in a host in that ISP: 2001:db8:1:1:7d9f:26c7:30d3:ee82

– 2001:db8 global routing prefix

– 1:1 subnet ID

– 7d9f:26c7:30d3:ee82 interface ID

IPv6 Addressing – Interface ID

• The lowest-order 64-bit field addresses

• may be assigned in several different ways:

– auto-configured from a 48-bit MAC address expanded into a 64-bit EUI-64

– assigned via DHCP

– manually configured

– auto-generated pseudo-random number

(to counter some privacy concerns: RFC 3041)

– possibly other methods in the future

11/6/2009

9

IPv6 Autoconfiguration

• Using Link-Local to communicate to other devices in the same link.

• Enable Plug and Play

• No manual configuration on client side

• Minimal router configuration

• Stateless Does not need DHCP server

• Statefull Need DHCP Server (running DHCPv6)

IPv6 Autoconfiguration - Stateless

1. new Host A is turned on, tentative address will be assigned to the new host.

2. Duplicate Address Detection (DAD) is performed, the host transmit a Neighbor Solicitation (NS) message to all-nodes multicast address (FF02::1),

3. If no Neighbor Advertisement (NA) message comes back then the address is unique.

4. fe80:7d9f:26c7:30d3:ee82 will be assigned to Host A.

11/6/2009

10

IPv6 Autoconfiguration - Stateless

1. Host. A will send Router Solicitation (RS) request to the all-routers multicast group (FE02::2).

2. The router will reply with Routing Advertisement (RA).

3. The new host will learn the network prefix. E.g, 2001:db8:1:1/64

4. The new host will assigned a new address Network prefix+InterfaceID 2001:db8:1:1:7d9f:26c7:30d3:ee82

Why we need IPv6

• IPv4 exhaustion.

– Only 10% left

• Considerable number of Internet users growth.

• IPv6 provide larger address space.

11/6/2009

11

IPv6 Transition Methods

Three basic transition methods:

• Dual Stack

– IPv4 and IPv6 can coexist in the same device.

– Smoother transition

– Need all nodes to be dual stacked.

– If we can dual stack all nodes, does it mean that we have enough IPv4, thus eliminate the need of IPv6?

IPv6 Transition Methods

• Tunneling

– IPv6 data is encapsulated in IPv4

– A great way to start if your upstream does not support IPv6 connectivity.

11/6/2009

12

IPv6 Transition Methods

• Translation

– Not yet supported in RouterOS

IPv6 in RouterOS

• MikroTik IPv6 support at the moment (RouterOS 3.28/4.0beta4): – static addressing and routing; – router advertisement daemon (for address

autoconfiguration) – dynamic routing: BGP+, OSPFv3, and RIPng

protocols – DNS name servers; – 6in4 (SIT) tunnels; – telnet , ping and traceroute; – web proxy; – sniffer and fetch tools;

11/6/2009

13

IPv6 in RouterOS

• Features not yet supported: – DHCPv6;

– all PPP (Point-to-point protocols);

– IPSEC;

– SSH, FTP, API, Winbox, Webbox access;

– queues;

– automatic tunnel creation;

– policy routing;

– multicast routing;

– MPLS;

– torch, netwatch, bandwidth test and other tools;

IPv6 setup on RouterOS

11/6/2009

14

More Routing Protocols on RouterOS

Static Addressing

Add address:>ipv6 address add address=2404:1b8:0:3::abcd/64

interface=ether2 advertise=no

See all IPv6 addresses:> ipv6 address print

Flags: X - disabled, I - invalid, D - dynamic,

G - global, L - link-local

# ADDRESS INTERFACE ADVERTISE

0 DL fe80::20c:42ff:fe1e:b1c8/64 ether2 no

1 DL fe80::20c:42ff:fe18:f304/64 wlan1 no

2 G 2404:1b8::3:0:0:0:abcd/64 ether2 no

11/6/2009

15

Static Addressing

Default Route

Add Default Route> ipv6 route add dst-address=::/0 gateway=2404:1b8:0:3::1

See all IPv6 route> ipv6 route print

Flags: X - disabled, A - active, D - dynamic,

C - connect, S - static, r - rip, o - ospf,

b - bgp, U - unreachable

# DST-ADDRESS GATEWAY DISTANCE

0 A S ::/0 2404:1b8::3:0:0:0:1 1

1 ADC 2404:1b8::3:0:0:0:0/64 ether2 0

11/6/2009

16

Default Route

Dual Stack on RouterOS

11/6/2009

17

Dynamic Routing Protocols

• All dynamic routing protocols (RIPng, OSPFv3, BGP) require a valid Router ID to function.

• Router ID can be:

– configured manually,

– one of router's IPv4 addresses

• If no IPv4 addresses are present, the router ID selection process will fail Dynamic routing protocols will also not work.

RIPng (RFC 2080)

• Distance-vector, radius of 15 hops

• Based on RIPv2

• Support IPv6

• Uses built-in IPSec feature in IPv6 for authentication

• Uses the multicast group ff02::9, the all-rip-routers multicast group, as the destination address for RIP updates.

11/6/2009

18

RIPng (RFC 2080)

• Router A

– eth1 = 2001:db8:1000:1000::1/64

– eth2 = 2001:db8:aaaa:aaaa::2/64

• Router B

– eth1 = 2001:db8:2000:2000::1/64

– eth2 = 2001:db8:aaaa:aaaa::3/64

RIPng (RFC 2080)

• RouterA dan RouterB– Routing ripng interface add interface=all

passive=no

– Routing ripng set redistribute-connected=yes

11/6/2009

19

OSPFv3 (RFC 2740)

• Uses the same fundamental mechanisms as OSPFv2

• Not backward compatible with OSPFv2

• Dual stack running OSPF must have both OSPFv2 and OSPFv3 configured.

• no configuration for networks anymore

• and interface configuration becomes mandatory, since OSPFv3 runs on link, not IP subnet, basis.

OSPFv3 (RFC 2740)

11/6/2009

20

OSPFv3 (RFC 2740)

• Using the previous topology, on RouterA and RouterB, we add:– routing ospf-v3 instance add

name=default redistribute-static=as-

type-1

– routing ospf-v3 area add

name=backbone instance=default

– routing ospf-v3 interface add

interface=all area=backbone

OSPFv3 (RFC 2740)

11/6/2009

21

BGP (RFC 2545/2858)

• BGP already supports multiple address families

• Example using the same topology, with AS 65530:

• routerA– routing bgp peer add remote-

address=2001:db8:aaaa:aaaa::3 remote-

as=65530 address-families=ip,ipv6

– routing bgp network add

network=2001:db8:1000:1000::/64

• routerB– routing bgp peer add remote-

address=2001:db8:aaaa:aaaa::2 remote-

as=65530 address-families=ip,ipv6

BGP (RFC 2545/2858)

11/6/2009

22

IPv6 Wireless

• Setup wlan Interface

IPv6 Wireless

Add IPv6 address to wlan interface> ipv6 address add address=2404:1b8:aaaa::1/64

interface=wlan1 advertise=yes

> ipv6 address print

Flags: X - disabled, I - invalid, D - dynamic, G

- global, L - link-local

# ADDRESS INTERFACE ADVERTISE

0 DL fe80::20c:42ff:fe1e:b1c8/64 ether2 no

1 DL fe80::20c:42ff:fe18:f304/64 wlan1 no

2 G 2404:1b8::3:0:0:0:abcd/64 ether2 no

3 G 2404:1b8:aaaa::1/64 wlan1 yes

11/6/2009

23

IPv6 Wireless

Dual Stack Wireless

11/6/2009

24

Dual Stack Wireless

Firewall

• Basically the same with IPv4 version

• Support Mangle and Address List

11/6/2009

25

6to4 Tunneling

• Need a global routable IPv4 address for router interface.

• If you don’t have your own AS and IPv6 address block:

– Sign in at a tunnel broker, eg: www.tunnelbroker.net

– Click “Create Regular Tunnel”

– Setup 6to4 interface on RouterOS

– Time needed : 5 minutes.

6to4 Tunneling

• After you register, you will get something like this:

Server IPv4 address: 216.218.221.6

Server IPv6 address: 2001:470:18:2ee::1/64

Client IPv4 address: 202.148.1.95

Client IPv6 address: 2001:470:18:2ee::2/64

Anycasted IPv6 Caching Nameserver: 2001:470:20::2

Anycasted IPv4 Caching Nameserver: 74.82.42.42

Routed /64: 2001:470:19:2ee::/64

11/6/2009

26

6to4 Tunneling

• On RouterOS:>interface 6to4 add comment="Hurricane Electric IPv6 Tunnel

Broker" disabled=no local-address=202.148.1.95 mtu=1280

name=sit1 remote-address=216.218.221.6

>ipv6 route add comment="" disabled=no distance=1 dst-

address=2000::/3 gateway=2001:470:18:2ee::1 scope=30

target-scope=10

>ipv6 address add address=2001:470:18:2ee::2/64

advertise=yes disabled=no eui-64=no interface=sit1

>ipv6 address add address=2001:470:19:2ee::1/64

advertise=yes disabled=no eui-64=no interface=eth1

6to4 Tunneling

11/6/2009

27

6to4 Tunneling

• If you have your own AS and IPv6 address block, you can fill this form:

– http://www.tunnelbroker.net/ipv6_bgp.php

• Build a 6to4 Tunnel

• Setup a full BGP session though this tunnel

Thank You!